Kaspersky Unmasks "Icefog" Cyberattacks

These assaults target specific information, such as passwords and critical files. And once the attackers have what they want, they cover their tracks and slip away into the void. The newly revealed attacks provide a glimpse into a shadowy world in which cybercrime and possible espionage are blurred together in attacks on strategic industries and their global supply chains.

Costin Raiu, head of the Global Research & Analysis Team at Kaspersky Lab, notes that the Icefog attacks show a distinctly different style from more traditional advanced persistent threats, or APTs.

Traditional APTs, says Raiu, burrow into organizations' networks over a period of years, to smuggle out terabytes of information. Hence the term "persistent." The typical Icefog operation attack, however, "usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave."

Raiu – who expects to see more attacks of this type – characterized the attackers as "a kind of 'cyber mercenary' team for the modern world."

Targeting Strategic Industries and Their Supply Chains

The Icefog attackers concentrated (so far) on firms in Japan and South Korea that do business with Western companies. And the attacks were specifically targeted at global supply chains. They made off with company plans, email account credentials, passwords and other critical information.

The pattern indicates that the attackers – who were also evidently based in Japan and South Korea, as well as China – knew precisely what they were after.

While the security investigators did not speculate on the underlying motives of the attackers (or whoever hired them), the targeted firms and organizations included shipbuilders, heavy industry, media firms, and the Japan-China Economic Organization, among others. The strategic overtones of the target list are unmistakable.

No one, however, expects the new style of APT attacks to stay confined to Asian strategic and economic targets. Icefog itself, and similar operators, can be counted on to attack wherever there is money to be made. Raiu predicted that the cybersecurity industry would see more of these groups in the future, in which a small, targeted crew of mercenaries can be hired to go after specific targets.